CVE-2026-42524
published 2026-04-29CVE-2026-42524: Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS)…
high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | credentials_binding | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | github | — | — |
| jenkins | github_branch_source | — | — |
| jenkins | github_branch_source_plugin | — | — |
| jenkins | github_plugin | — | — |
| jenkins | html_publisher | <= 427 | — |
| jenkins | html_publisher | — | — |
| jenkins | html_publisher_plugin | — | — |
| jenkins | matrix_authorization_strategy | — | — |
| jenkins | matrix_authorization_strategy_plugin | — | — |
| jenkins | script_security | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins_project | jenkins_html_publisher_plugin | <= 427 | — |